Compromised Vendor Spear Phishing Attack - Abnormal Security

Compromised Vendor Spear Phishing Attack

In this attack, attackers compromise a vendor account in order to steal those credentials from employees.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Office 365
Mailboxes: 15,000 to 50,000
Payload: Sharepoint File with Malicious Link
Technique: Vendor Compromise

What was the attack?

Setup: This attack originates from a known vendor that shows evidence of being compromised. By sending a spear phishing campaign to members of the compromised parties, attackers hope to breach partner accounts, and utilize credentials for further malicious purposes.

Email Attack: This attack has multiple layers, and begins with the compromised vendor sending a brief message instructing the recipient to remit payment before they ship the order, along with an attached file that is supposed to be an invoice. Instead, it is an embedded hyperlink that redirects to a suspicious One Drive document. In this case, the recipient of the email responded directly to the attacker to make the partner aware they had been hacked. In turn, the attacker responded to the recipient and tried to placate any fears by affirming they did mean to send the document and re-shared the raw link that leads to the landing page.

Payload: There are two payloads in this attack. The first is the attached file that redirects to a OneDrive document that has a hyperlink embedded within the “View Document” text that leads to chapters.co.uk phishing landing page. The second payload is the Sharepoint file that is sent to the recipient after they engaged with the attacker. It’s the same link which directs the recipient to a OneDrive landing page where users are asked to input their credentials.

Result: If the target falls for this type of attack, their credentials will be compromised, as well as any data stored on their account. This would position employees and their networks at considerable risk as attackers can then launch internal attacks to steal more credentials and information from the organization.

Why is this attack effective?

Urgency: There is a sense of urgency the language within the body communicates to the recipient. The recipient is instructed to remit payment before they receive the goods. This provides the recipient motivation to act on the request as quickly as possible.

Compromised Vendor: This email is coming from the account of a vendor that communicates with this customer relatively frequently. The attacker in this case is capitalizing on the relationship between the vendor and the victim to increase the likelihood the target will believe the files are legitimate, because they are originating from a trusted source.

Social Engineering: The attacker took the extra step of responding to the recipients statement of mistrust of the file by actually making up an excuse so that the recipient would be more likely to click on the malicious link and enter their credentials.

Related content